CIS 192 – Lesson 6 Lesson Module Status • Slides – draft • Properties - done • Flashcards - na • 1st minute quiz – done • Web Calendar summary – done • Web book ppgages – done • Commands – • Howtos – • Skills pacing -na • Lab – done • Depot (VMs) – restored 1 CIS 192 – Lesson 6 Course history and credits Jim Griffin • Jim created the original version of this course • Jim’s site: http://cabrillo.edu/~jgriffin/ Rick Graziani • Thanks to Rick Graziani for the use of some of his great networ k slides • Rick’s site: http://cabrillo.edu/~rgraziani/ 2 CIS 192– Lesson 6 www.cccconfer.org Joe P. dial-in: 888-886-3951 passcode: 439080 John Joe A. Robert Chuck Chris B. Rich Josh Jesus Chris H. Casady Lieven Edwin JkJack Julio Drew Edgar Kay Junious Aaron Ryan Joe B. Brynden 3 Email me ([email protected]) a relatively current photo of your face for 3 points extra credit CIS 192 - Lesson 6 Quiz Please take out a blank piece of paper, switch off your monitor, close your books, put away your notes and answer these questions: • How do you find out if vsftpd is installed? • What two ports does FTP use? • What command shows the ports on your system that are open and listening for requests? CIS 192 - Lesson 6 Activity Internet Install telnet-server and vsftpd on Arwen: DNS: 207.62.187.53 • Revert Arwen to its snapshot • Cable Arwen to the classroom network (bridged) Lab Router • Use dhclient eth0 to get an IP address .1 • Use yum install telnet-server vsftpd to install Telnet and FTP server applications • Use dhclient –r eth0 to release the IP address Shire • Recable to VMnet3 (Outside) eth0 After installinggp packag es: Bridged dhcp [root@arwen ~]# rpm -qa | grep telnet 172.30.1.0/24 telnet-0.17-39.el5 Arwen telnet-server-0.17-39.el5 [root@arwen ~]# rpm -qa | grep vsftpd vsftpd-2052.0.5-16.el5 _ 4. 1 [root@arwen ~]# 5 CIS 192 – Lesson 6 Firewalls and NAT Objectives Agenda • Configgyure a network service with security • Quiz restrictions for its use using either TCP Wrappers • Questions on previous material or a superdaemon. • Scripting network setting changes • Use iptables to build a permissive firewall by selectively filtering packets based on protocol • Housekeeping type. • Wrap up transport layer • Create a secure tunnel between two hosts that • Application Layer allows port forwarding into a private network. • Super daemons • Use Network Address Translation (NAT) to allow hosts on a private network to access the • TCP wrappers ItInterne t. • TlTelne t • FTP • SSH • SSH port forwarding • Example firewall and NAT • Netfilter • Lab 5 Prep • Wrap 6 QtiQuestions on previous material 7 CIS 192 - Lesson 6 Questions? • Previous lesson material • Lab assignment 8 Housekeeppging 9 CIS 192 - Lesson 6 • Lab 4 due today! • MSDN AA success? • Test 1 graded, still a few students still need to take it before we can go over results • Mike Brogan from Cruzio on May 25th • Use the forum for any MSDN AA issues • Hands-on cabling using system pods • Revert and power up Frodo, Elrond and Arwen VMs for tonight Frodo Elrond Arwen 10 Fin is h up TCP 11 CIS 192 - Lesson 6 Transport Layer Objectives: • Understand key TCP header information • Understand how TCP connections are made and ended • Understand how a socket is defined • Recognize connection state changes and sockets by looking at Wireshark captures 12 Protocol and Reference Models • The Open Systems Interconnection (OSI) model is the most widely known internetwork reference model. 13 Transport Layer Application Application layer Header + data TCP or UDP Layer 4 (Transport ) Header Layer 3 (Network ) Layer 2 (Data Link ) 14 CIS 192 - Lesson 6 Transport Layer Ports are used to identify The Transmission Control Protocol application TCP Header Sequence and acknowledgement numbers are used for flow control. ACK, SYN and FIN flags are used for initiating connections, acknowledging data received and terminating connections Window size is use to communicate buffer size of recipient. Options like SACK permit selective acknowledgement Data contains application specific information UDP Header User Datagram Protocol (UDP) = Connectionless , Stateless , Unreliable TCP Header 0 15 16 31 16-bit Source Port Number 16-bit Destination Port Number 32-bit Sequence Number 32 bit Acknowledgement Number 4-bit Header 6-bit U A P R S F Length (Reserved) R C S S Y I 16-bit Window Size G K H T N N 16-bit TCP Checksum 16-bit Urgent Pointer E.g. HTTP is Port 80 Options (if any) Data ((y)if any) Transmission Control Protocol (TCP) = Connection-oriented ,Stateful, Reliable 16 CIS 192 - Lesson 6 Transport Layer Sockets Sockets are communication endpoints which define a network connection between two computers (RFC 793). • Source IP address • Destination IP address • Source port number • Destination port number SA DA SP DP A socket is uniquely defined by the source IP address, source port, destination IP address, and destination port 17 CIS 192 - Lesson 6 Transport Layer Initiating a new TCP Connection Three-Way Handshake 1. SYN 2. SYN-ACK client server 3. ACK open listen state state AN=Acknowledgment Number SN=Sequence Number established ACK=ACK flag set SYN=SYN flag set state established state 18 CIS 192 - Lesson 6 Transport Layer The Transmission Control Protocol Continuing communications on an established connection o The Sliding Window Used for flow control - allows sending additional segments before an acknowledgement is received based on recipients buffer size o Flow Control (cumulative acknowledgment) Recipient tells sen der t he size o f its input bu ffer and send s acknowledgements when data has been received. Sequence numbers are used to detect missing segments. o The SACK option Selective acknowledgement so only the dropped segments need to be retransmitted. o The RST Flag Used to terminate a connection when an abnormal situation happens 19 CIS 192 - Lesson 6 Transport Layer Closing a TCP Connection Four-Way Handshake 1. FIN, ACK 2. ACK client server 3. FIN, ACK initiate established 4. ACK close state end applica tion AN=Acknowledgment Number SN=Sequence Number ACK=ACK flag set FIN=FIN flag set end application cldlosed closed 20 CIS 192 – Lesson 6 Elrond Legolas Frodo Shire Rivendell eth0 eth0 eth1 eth0 .83 .107 .107 .150 172.30.4.0 /24 192.168.2.0 /24 Firewall FTP Server Socket for data transfer Active Mode is when server initiates Client Server new connection for data transfer 172.30.4.83 192.168.2.150 ftp> get legolas 42571 20 local: legolas remote: legolas 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for legolas (18 bytes). 226 File send OK. 18 bytes received in 0. 04 secs (0 .5 kB/s) Retrieve legolas file 3 way handshake initiated by server File transfer 4 way handshake to close connection 21 Tunable Kernel Parameters 22 CIS 192 - Lesson 6 Exercise Explore the TCP, UDP and other variables in the /proc/sys/net/ipv4 directory [root@bigserver ~]# ls /proc/sys/net/ipv4 cipso_cac hbkhe_bucket_s ize idip_dyna ddr tcp_d dsac k tcp_retr i2ies2 cipso_cache_enable ip_forward tcp_ecn tcp_rfc1337 cipso_rbm_optfmt ipfrag_high_thresh tcp_fack tcp_rmem cipso_rbm_strictvalid ipfrag_low_thresh tcp_fin_timeout tcp_sack conf ipfrag_max_dist tcp_frto tcp_slow_start_after_idle icmp_echo_ignore_all ipfrag_secret_interval tcp_keepalive_intvl tcp_stdurg icmp_echo_ignore_broadcasts ipfrag_time tcp_keepalive_probes tcp_synack_retries icmp_errors_use_inbound_ifaddr ip_local_port_range tcp_keepalive_time tcp_syncookies icmp_ignore_bogus_error_responses ip_nonlocal_bind tcp_low_latency tcp_syn_retries icmp_ratelimit ip_no_pmtu_disc tcp_max_orphans tcp_timestamps icmp_ratemask neigh tcp_max_syn_backlog tcp_tso_win_divisor igmp__ max memberships netfilter tcp ___ max tw buckets tcp __ tw recycle igmp_max_msf route tcp_mem tcp_tw_reuse inet_peer_gc_maxtime tcp_abc tcp_moderate_rcvbuf tcp_window_scaling inet_peer_gc_mintime tcp_abort_on_overflow tcp_mtu_probing tcp_wmem inet_peer_maxttl tcp_adv_win_scale tcp_no_metrics_save tcp_workaround_signed_windows inet_ppeer _ minttl tcp p_app pp_win tc p_p or phan _ retries ud p_p mem inet_peer_threshold tcp_base_mss tcp_reordering udp_rmem_min ip_conntrack_max tcp_congestion_control tcp_retrans_collapse udp_wmem_min ip_default_ttl tcp_dma_copybreak tcp_retries1 [root@bigserver ~]# cat /proc/sys/net/ipv4/tcp_sack 1 [root@bigserver ~]# cat /proc/sys/net/ipv4/tcp_syn_retries 5 [root@bigserver ~]# 23 CIS 192 - Lesson 6 Transport Layer TCP Tunable Kernel Parameters tcp_fin_timeout how long to keep in FIN-WAIT-2 state tcp_keepalive_time how long to keep an unused connection alive tcp_sack enable/disable selective acknowledgments tcp_timestamps enable RFC 1323 definition for round-trip measurement tcp_window _ scaling enable RFC 1323 window scaling tcp_retries1 how many times to retry before reporting an error tcp_retries2 how many times to retry before killing connection tcp_syn_retries how many times to retransmit the SYN, ACK reply In the same directory: ip_forward enable/disable selective acknowledgments [root@bigserver ~]# cat /proc/sys/net/ipv4/tcp_sack 1 [root@bigserver ~]# cat /proc/sys/net/ipv4/tcp_syn_retries 5 24 CIS 192 - Lesson 6 Exercise Google linux tcp variables 25 Security Issues 26 CIS 192 - Lesson 6 Transport Layer Inherent security vulnerabilities with TCP/IP protocols • Denial of service attack using SYN flooding • Falsifying TCP communications by spoofing, fake rip updates, bogus ping errors, malicious DNS entries, etc. • Hijacking connections with sequence guessing, man in the middle attacks, etc. DfDefenses: firewall s, authenti cati on, and